[TriLUG] supporting legacy SSL ciphers

Mon Nov 30 16:54:20 EST 2020

Hi Alan!  It's been ages since I thought about that awesome TMIO project.
It's both amazing and terrifying to think you're still supporting it, 14+
years later.  :)

I would suggest that you forego the middle men, and write a little Go
server that speaks TLS.  You should be able to configure it to accept
whatever the necessary ancient cipher suite that the ovens speak, spit out
some HTML, and you'll be off to the races.  As an added bonus, you'll have
exactly one build artifact and all your config will be in the code.  Here
are some pointers to get you started:

https://godoc.org/net/http#example-ListenAndServeTLS
https://godoc.org/crypto/tls#CipherSuite
https://godoc.org/crypto/tls#Config

If you're dead set on Python, you can use exactly the same pattern, but
then you'll be writing in Python.  :)  You're welcome to view this as a
positive or a negative, at your leisure.  Here's some companion pointers
for Python:
https://piware.de/2011/01/creating-an-https-server-in-python/
https://docs.python.org/3/library/ssl.html
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers

In the unlikely event that the OpenSSL library your Python or Go links
against doesn't even compile in the cipher suite you need, you might try
the simple hack of setup some very old Raspian on a nearby Pi and compile a
Go binary there; Go creates essentially statically linked binaries which
should run mostly anywhere that has a POSIX environment.  That's probably
easier than the alternative: dragging in an ancient openssl dynamic library
on your modern Debian repo, and trying to get the Go compiler or your
Python runtime to load it.

Happy hacking!
Aaron S. Joyner

On Mon, Nov 30, 2020 at 4:17 PM Alan Porter via TriLUG <trilug at trilug.org>
wrote:

>
> William Sutton wrote:
>
> > I figured I would have seen a response by now.
> >
> > Any reason you can't use Apache?
>
> I started with apache and mod_wsgi, and then tried nginx and gunicorn.
> I don't have a strong preference one way or the other, but I lean
> towards nginx.
>
>
>
> John Franklin wrote:
>
> > ...or if you’ll have to recompile OpenSSL or GnuTLS first to make it
> > work.
>
> I am pretty sure they all rely on the underlying libraries, and so I
> will have to compile them to get the weak cipher support.
>
> I have not looked at GnuTLS.  Maybe that library is easier to configure
> with the old ciphers.  That's a good lead.
>
>
> > The next issue you’re going to run into … root certs.
> > What root certs do the ovens have, and will they accept expired certs
> > or unknown CAs?
>
> The ovens expect a specific self-signed cert, which I have in place on
> the web server.
>
>
>
> All of this would be so much easier to hack today if I had been a
> little more cavalier back in the day and just used HTTP.
>
> Thanks for your questions to help prod me along.
>
>
> Alan
>
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: https://trilug.org/welcome